Endpoint protection

The article "Modern Internet attacks" is provided by Sophos Plc and SophosLabs.

August 2007

The target computers should have security software running even if the computer is also protected with network tools. The most suitable solution can be motivated by various features of antivirus products. One of these features is detecting a threat proactively, that is, identifying previously unknown malware. Extensive use of server automation for modifying files provokes a demand for products that can identify new samples. A useful addition to the usual file verification technologies is real-time protection, often called host intrusion prevention (HIP) [61.62]. Such systems check executable files to detect malware. Although it's better to prevent such files from running at all, real time protection is useful if infecting process has already started. It helps to stop infecting mechanism before the main malware component is loaded. This is very useful for resisting infection techniques used in Internet attacks, when several different components are loaded and launched.

Network firewall is also important for client protection. It helps to resist Troyan downloaders even if they aren't detected with an antivirus check. Leading network firewalls often use technologies that help to resist insertion of code into processes — a technology often used in trojan downloaders.

Given the popularity of exploits in Internet attacks, another useful protection technology is resisting buffer overflow attacks (BOP) [63]. Such technologies usually monitor memory areas of certain processes to identify the attacked processes and detect buffer overflows. This allows to resist attacks by detecting buffer overflow when a vulnerable client visits an attacking site. With increasing complexity and sophistication of malware, protection of client computers becomes more and more difficult. When choosing the right product you should take into account all of the listed technologies, remembering also the manageability and usability.